CN114039889B - Network anomaly detection method and related device based on round trip delay time sequence - Google Patents

Network anomaly detection method and related device based on round trip delay time sequence Download PDF

Info

Publication number
CN114039889B
CN114039889B CN202111136164.3A CN202111136164A CN114039889B CN 114039889 B CN114039889 B CN 114039889B CN 202111136164 A CN202111136164 A CN 202111136164A CN 114039889 B CN114039889 B CN 114039889B
Authority
CN
China
Prior art keywords
round trip
trip delay
link
links
probability distribution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111136164.3A
Other languages
Chinese (zh)
Other versions
CN114039889A (en
Inventor
黄小红
刘飞
李丹丹
邝野
丛群
赵杰
徐燕山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wangruida Science & Technology Co ltd
Pla 32147
Beijing University of Posts and Telecommunications
Original Assignee
Beijing Wangruida Science & Technology Co ltd
Pla 32147
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wangruida Science & Technology Co ltd, Pla 32147, Beijing University of Posts and Telecommunications filed Critical Beijing Wangruida Science & Technology Co ltd
Priority to CN202111136164.3A priority Critical patent/CN114039889B/en
Publication of CN114039889A publication Critical patent/CN114039889A/en
Application granted granted Critical
Publication of CN114039889B publication Critical patent/CN114039889B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0852Delays
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2462Approximate or statistical queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2474Sequence data queries, e.g. querying versioned data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models
    • G06N7/01Probabilistic graphical models, e.g. probabilistic networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The disclosure provides a network anomaly detection method based on a time sequence of round trip delay, which is used for carrying out route tracking on a target network to obtain a time sequence of first round trip delay of a plurality of links; clustering links according to the similarity of the time sequences of the first round trip delay and the connection relation between the links to obtain a link set; determining a statistical model corresponding to the link set by using a Bayesian information criterion; for a target link, obtaining a first probability distribution sequence of a first round trip delay based on a statistical model corresponding to a link set to which the target link belongs; acquiring a time sequence of a second round trip delay of a target link, and acquiring a second probability distribution sequence of the first round trip delay according to the probability of the first round trip delay distributed in the time sequence of the second round trip delay; and obtaining a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence. The network anomaly detection method and device can accurately detect network anomalies.

Description

Network anomaly detection method and related device based on round trip delay time sequence
Technical Field
The disclosure relates to the technical field of internet, in particular to a network anomaly detection method and a related device based on a round trip delay time sequence.
Background
Network anomalies refer to a network being in an abnormal state when one or more network elements (links, switches, routers, etc.) located in a particular geographic area are not working properly or service is not reachable due to some factor. Network anomalies can be divided into two categories: 1) Network conditions deviate from expected operation due to blockage of normal traffic or artificial control of inflow of large amounts of traffic. For example, network congestion; 2) The network deviates significantly from normal operation due to damage to cables, or attacks due to malicious traffic caused by natural disasters. Such as a network outage.
In the prior art, network anomaly detection is performed through network measurement, and network measurement is mainly divided into active measurement and passive measurement. Active measurement is mainly carried out by means of traditional measuring tools such as Ping and Dig. Performance indexes such as delay, path information and the like from different geographic positions to a measurement target are acquired in a distributed measurement environment to analyze network connectivity problems, so that potential faults are found. Passive measurements are then mainly used to learn about the network conditions by detecting control plane data. By means of network measurement, the actual working conditions of the network running environment, the network application and the service can be known.
Disclosure of Invention
In view of the foregoing, an object of the present disclosure is to provide a method and related apparatus for detecting network anomalies based on a round trip delay time sequence.
Based on the above object, the present disclosure provides a network anomaly detection method based on a round trip delay time sequence, including:
carrying out route tracking on a target network to obtain a time sequence of first round trip delay of a plurality of links in the target network; the time sequence of the first round trip delay comprises a plurality of first round trip delays;
clustering the links according to the similarity of the time sequences of the first round trip delay and the connection relation between the links to obtain a link set;
determining a statistical model corresponding to the link set by using a Bayesian information criterion;
for a target link, obtaining a first probability distribution sequence of the first round trip delay of the target link based on the statistical model corresponding to the link set to which the target link belongs; the target link is any one of the links in the target network; the first round trip delay which is repeated is not included in the first probability distribution sequence;
acquiring a time sequence of a second round trip delay of the target link, and acquiring a second probability distribution sequence of the first round trip delay of the target link according to the probability of the first round trip delay distributed in the time sequence of the second round trip delay; the time sequence of the second round trip delay comprises a plurality of second round trip delays; the second probability distribution sequence does not contain repeated first round trip delay;
And obtaining a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence.
Based on the same inventive concept, the present disclosure provides a network anomaly detection apparatus based on a round trip delay time sequence, including:
the system comprises a round trip delay time sequence acquisition module, a round trip delay time sequence acquisition module and a processing module, wherein the round trip delay time sequence acquisition module is configured to perform route tracking on a target network to obtain a time sequence of first round trip delays of a plurality of links in the target network; the time sequence of the first round trip delay comprises a plurality of first round trip delays;
the link clustering module is configured to cluster the links according to the similarity of the time sequence of the first round trip delay and the connection relation between the links to obtain a link set;
the statistical model determining module is configured to determine a statistical model corresponding to the link set by using a Bayesian information criterion;
the first probability distribution sequence acquisition module is configured to obtain a first probability distribution sequence of the first round trip delay of the target link based on the statistical model corresponding to the link set to which the target link belongs for the target link; the target link is any one of the links in the target network; the first round trip delay which is repeated is not included in the first probability distribution sequence;
A second probability distribution sequence acquisition module configured to acquire a time sequence of a second round trip delay of the target link, and obtain a second probability distribution sequence of the first round trip delay of the target link according to a probability that the first round trip delay is distributed in the time sequence of the second round trip delay; the time sequence of the second round trip delay comprises a plurality of second round trip delays; the second probability distribution sequence does not contain repeated first round trip delay;
and the network anomaly determination module is configured to obtain a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence.
Based on the same inventive concept, the present disclosure provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method as described above when executing the program.
As can be seen from the foregoing, the method for detecting network anomalies based on a round trip delay time sequence provided by the present disclosure includes: carrying out route tracking on a target network to obtain a time sequence of first round trip delay of a plurality of links in the target network; the time sequence of the first round trip delay comprises a plurality of first round trip delays; clustering links according to the similarity of the time sequences of the first round trip delay and the connection relation between the links to obtain a link set; determining a statistical model corresponding to the link set by using a Bayesian information criterion; for a target link, obtaining a first probability distribution sequence of a first round trip delay of the target link based on a statistical model corresponding to a link set to which the target link belongs; the target link is any link in the target network; the first probability distribution sequence does not contain repeated first round trip delay; acquiring a time sequence of second round trip delay of a target link, and acquiring a second probability distribution sequence of first round trip delay of the target link according to the probability of distribution of the first round trip delay in the time sequence of the second round trip delay; the time sequence of the second round trip delay comprises a plurality of second round trip delays; the second probability distribution sequence does not contain repeated first round trip delay; and obtaining a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence. By the method and the device, network abnormality can be accurately and rapidly detected.
Drawings
In order to more clearly illustrate the technical solutions of the present disclosure or related art, the drawings required for the embodiments or related art description will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to those of ordinary skill in the art.
Fig. 1 is a schematic flow chart of a network anomaly detection method based on a round trip delay time sequence according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a network anomaly detection device based on a round trip delay time sequence according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of more specific hardware of an electronic device according to an embodiment of the disclosure.
Detailed Description
For the purposes of promoting an understanding of the principles and advantages of the disclosure, reference will now be made to the embodiments illustrated in the drawings and specific language will be used to describe the same.
It should be noted that unless otherwise defined, technical or scientific terms used in the embodiments of the present disclosure should be given the ordinary meaning as understood by one of ordinary skill in the art to which the present disclosure pertains. The terms "first," "second," and the like, as used in embodiments of the present disclosure, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
The present disclosure recognizes that network anomalies typically affect multiple entities, and studying the correlation between them allows for a more thorough understanding of network status and assessment of the scope of impact of network anomalies. Specifically, when a network anomaly occurs in a certain link, the network state of a neighboring link having similar characteristics is affected. Therefore, if links having similar characteristics can be aggregated by studying the correlation between links, it is possible to accurately detect network anomalies in a target area by detecting a small number of links and evaluate the scope of influence of the network anomalies. Further, the efficiency of network anomaly detection is also affected by processing the network anomaly detection data based on what model.
In view of this, the disclosure provides a method and related apparatus for detecting network anomalies based on a round trip delay time sequence.
Fig. 1 is a schematic flow chart of a network anomaly detection method based on a round trip delay time sequence according to an embodiment of the present disclosure; a network anomaly detection method based on a time sequence of round trip delay comprises the following steps:
s110, carrying out route tracking on the target network to obtain a time sequence of first round trip delay of a plurality of links in the target network.
The time sequence of the first round trip delays includes a plurality of first round trip delays.
Route tracking (traceroute) may be used to measure router information from source to destination, and the traceroute command may traverse all routers on the packet transmission path, which may adapt to the Internet multi-gateway interconnection architecture, and track any one of the routing paths that the packet may traverse in real time. The return information of traceroute includes a source address, a destination address, a router address along which the packet passes, and a round-trip time (RTT). By monitoring the round trip delay, the transmission performance and connectivity of the link can be detected.
The round trip delay is a performance indicator in a computer network, and represents the total delay that is experienced from the time when data is sent from a sender to the time when the sender receives an acknowledgement from a receiver (the receiver sends an acknowledgement immediately after receiving the data). The round trip delay is determined by three parts: i.e. the propagation time of the link, the processing time of the end system and the queuing and processing time in the buffer of the router. Wherein the values of the first two parts are relatively fixed as a TCP connection, the queuing and processing time in the router's cache will vary with the overall network congestion level. Therefore, the change in round trip delay can reflect the change in the network congestion level to some extent.
In some embodiments, S110 specifically includes:
and carrying out route tracking on the target network to obtain the first round trip delay of links in the target network at different moments.
For any link, extracting the first round trip delay of the link at the same time interval, and generating a time sequence of the first round trip delay of the link.
The first round trip delay referred to in this disclosure does not refer to one round trip delay, but refers to a class of round trip delays, specifically, refers to a plurality of round trip delays acquired for the first time when the present disclosure is executed, wherein the first time refers to acquiring the round trip delay not only once but also a plurality of times within a certain period of time; in the process of executing the present disclosure, the route tracking and the round trip delay are performed for the second time, where the second time is referred to as second time, and does not refer to single round trip delay acquisition, and also refers to multiple round trip delays acquired within a certain period of time, and the second round trip delay is referred to as second return delay, and similarly, the second round trip delay does not refer to one round trip delay, but refers to a type of round trip delay. Because there is a cyclic execution of some of the step methods in this disclosure, this disclosure uses the first, second, etc. descriptions for distinction only and not for limitation of the scheme itself.
In some embodiments, a plurality of probes at different positions are provided to continuously track the route of the target network (the monitored network area), so that the round trip delay of each link in the target network at different moments can be obtained.
As an example, any two nodes v in the target network j And v j The composed links are denoted as L i,j Measured link L i,j The first round trip delay at time t is denoted as
Figure BDA0003282489010000051
Assuming that the total duration of the measurement is T (1- > T), then link L i,j The time sequence of the first round trip delay of (a) is expressed as
Figure BDA0003282489010000052
S120, clustering the links according to the similarity of the time sequences of the first round trip delay and the connection relation between the links to obtain a link set.
In some embodiments, S120 specifically includes:
step 1: and taking any link as a seed link, extracting all links connected with the seed link, and adding the links into the initial link set.
Step 2: and calculating the similarity of the time sequence of the first round trip delay of the seed link and the time sequence of the first round trip delay of each link in the initial link set, extracting links with the similarity greater than or equal to a similarity threshold, and adding the seed link and the links with the similarity greater than or equal to the similarity threshold into the alternative link set.
Step 3: filtering links which are used as seed links in the alternative link set, executing the step 1 and the step 2 on the rest links in the alternative link set until no links with similarity greater than or equal to a similarity threshold exist, and taking the alternative link set as the link set.
Step 4: and acquiring all links in the target network, and filtering links in a link set in all links to obtain the rest links. Step 1, step 2 and step 3 are performed on the remaining links until all links in the target network are clustered into a plurality of link sets.
As an example, a link L is randomly selected i,j As a seed link and extracting all links connected to the seed link, adding all links connected to the seed link to the initial link set
Figure BDA0003282489010000065
Computing a seed link L i,j Time sequence of first round trip delay and initial link set
Figure BDA0003282489010000066
Extracting links with similarity greater than or equal to a similarity threshold value from the similarity of the time series of the first round trip delay of each link, adding the seed links and all links with similarity greater than or equal to the similarity threshold value into an alternative link set F i,j
In some embodiments, the Euclidean distance is used to calculate the similarity of the time series of round trip delays for any two links.
Assume two links L i,j And L k,1 The time series of round trip delays of (a) are respectively:
Figure BDA0003282489010000061
and->
Figure BDA0003282489010000062
Their similarity
Figure BDA0003282489010000063
The calculation formula of (2) is as follows:
Figure BDA0003282489010000064
calculating the similarity of the time sequences of the round trip delays of the links in the target network, obtaining a similarity cumulative distribution function, selecting inflection points in a cumulative distribution diagram corresponding to the similarity cumulative distribution function as a similarity threshold, and considering that the two links are similar when the similarity of the time sequences of the round trip delays of the two links is greater than or equal to the similarity threshold under the standard.
The above embodiment takes the example of calculating the similarity of the round trip delay time sequences of any two links by using the euclidean distance as an example, but the disclosure is not limited thereto, for example, in some possible implementations, the similarity of the round trip delay time sequences of any two links may be calculated by using other similarity algorithms, such as cosine similarity, hamming distance, manhattan distance, chebyshev distance, and the like.
Clustering all links in a target network into a plurality of link sets, wherein each link set is a category, and the set of all categories is recorded as N, and the kth category is recorded as N k
S130, determining a statistical model corresponding to the link set by using a Bayesian information criterion.
In some embodiments, S130 specifically includes:
and modeling the target link set by using different types of alternative statistical models respectively, and calculating Bayesian information values of the different types of alternative statistical models.
The target link set is any link set.
And taking the alternative statistical model with the lowest Bayesian information value as the statistical model corresponding to the link set.
In some embodiments, the alternative statistical model includes:
a normal model, a lognormal model, a GEV model, and a burrtype XII model.
Normal model:
Figure BDA0003282489010000071
where μ is the average and δ is the variance.
Log-normal model:
Figure BDA0003282489010000072
where μ is the average and δ is the variance.
GEV model:
Figure BDA0003282489010000073
where μ is a position parameter, δ is a size parameter, and ζ is a shape parameter.
Burr Type XII model:
Figure BDA0003282489010000074
where a is a scale parameter and c and k are shape parameters.
In some embodiments, the fitness and complexity of the alternative statistical model is evaluated using bayesian information criteria, the expression of which is as follows:
Figure BDA0003282489010000075
where N represents the sample size, K represents the number of parameters, I represents the number of nodes in the target network,
Figure BDA0003282489010000076
Time sequence representing a first round trip delay +.>
Figure BDA0003282489010000077
Is the maximum value of the likelihood function of (c).
Wherein, the smaller the value of BIC, the higher the fitting degree and the lower the complexity of the alternative statistical model, namely the better the alternative statistical model.
For any class N k And calculating the BIC values of the 4 alternative statistical models by using the formula. The candidate model with the lowest BIC value is then selected to model the link under that category.
Establishing a network behavior model based on measuring and testing the network is an effective way to understand network behavior, however, in the related art, the fitting degree and complexity of the statistical model are not considered when modeling the network measurement data. The present disclosure recognizes that because of the randomness of network measurements, an appropriate statistical model is required to describe network performance. The model with higher fitting goodness can optimize the analysis of data, and provides accurate understanding of the current network condition for a network manager. In addition, the model complexity is low, the calculation time can be reduced, and unnecessary calculation cost is avoided. Therefore, the influence of the model fitting degree and the complexity on the modeling of the time sequence of the first round trip delay is considered through the technical means, the proper statistical model is selected to model the time sequence of the first round trip delay to detect network abnormality, and the network abnormality can be accurately and rapidly detected compared with the detection method in the related technology.
And S140, for the target link, obtaining a first probability distribution sequence of the first round trip delay of the target link based on a statistical model corresponding to the link set to which the target link belongs.
The target link is any link in the target network; the first probability distribution sequence does not contain repeated first round trip delays.
In some embodiments, S140 specifically includes:
sequencing the first round trip delays in the time sequence of the first round trip delays of the target link according to the order of magnitude to obtain a sequence of the first round trip delays sequenced according to the order of magnitude; wherein the sequence of the first round trip delays ordered according to the order of magnitude does not contain repeated first round trip delays;
and for the sequences of the first round trip delays ordered according to the order of magnitude, obtaining a first probability distribution sequence of the first round trip delays of the target links based on a statistical model corresponding to the link set to which the target links belong.
As an example, any one link L is extracted i,j Time series of first round trip delays of (a)
Figure BDA0003282489010000081
Optionally, for the first round trip delay, sorting the first round trip delays in order from small to large (i.e. ascending order), to obtain a sequence of first round trip delays sorted in order of magnitude ∈ >
Figure BDA0003282489010000082
Wherein (1)>
Figure BDA0003282489010000083
Is->
Figure BDA0003282489010000084
N is the number of values of the first round trip delay in the time series of the first round trip delay, and the first round trip delay with equal values is calculated as one.
Determining link L i,j Belonging to link set F i,j Corresponding statistical model, inputting the sequence of the first round trip delay ordered according to the order of magnitude into the statistical model to obtain a link L i,j Probability distribution sequence of first round trip delay of (2)
Figure BDA0003282489010000085
Wherein (1)>
Figure BDA0003282489010000086
Representation->
Figure BDA0003282489010000087
Is a probability density of (c).
S150, obtaining a time sequence of the second round trip delay of the target link, and obtaining a second probability distribution sequence of the first round trip delay of the target link according to the probability that the first round trip delay is distributed in the time sequence of the second round trip delay.
The time sequence of the second round trip delay comprises a plurality of second round trip delays; the second sequence of probability distributions does not contain the repeated first round trip delay.
In some embodiments, S150 specifically includes:
the occurrence times of each first round-trip delay in the time sequence of the second round-trip delay in the sequence of the first round-trip delays ordered according to the order of magnitude are calculated, the probability that each first round-trip delay is distributed in the time sequence of the second round-trip delay is further calculated, and the second probability distribution sequence of the first round-trip delay of the target link is obtained.
As an example, get link L i,j Time series of second round trip delays of (2)
Figure BDA0003282489010000091
Determination of
Figure BDA0003282489010000092
First round trip delay ∈>
Figure BDA0003282489010000093
To->
Figure BDA0003282489010000094
At->
Figure BDA0003282489010000095
The resulting second probability distribution sequence is expressed as: />
Figure BDA0003282489010000096
Wherein, the liquid crystal display device comprises a liquid crystal display device,
Figure BDA0003282489010000097
Figure BDA0003282489010000098
s160, obtaining a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence.
In some embodiments, S160 specifically includes:
calculating the relative entropy of the first probability distribution sequence and the second probability distribution sequence;
calculating the large deviation probability of the first probability distribution sequence and the second probability distribution sequence according to the relative entropy;
in response to determining that the large deviation probability is below the large deviation probability threshold, it is determined that the target network has a network anomaly.
As an example, in case no anomaly of the network occurs, the first round trip delay
Figure BDA0003282489010000099
To->
Figure BDA00032824890100000910
At->
Figure BDA00032824890100000911
Probability (through ε) Y (i, j) should be approximately equal to it is +.>
Figure BDA00032824890100000912
As represented by U (i, j). When network is abnormal, epsilon is caused to appear Y (i, j) is inconsistent with U (i, j), but this phenomenon belongs to a small probability event, and further, according to the Sanov theorem, the probability of such a small probability event occurring is calculated as follows:
Figure BDA00032824890100000913
Figure BDA00032824890100000914
wherein the relative entropy H (. Epsilon.) Y (i, j)/U (i, j)) is used to describe ε Y Similarity between (i, j) and U (i, j).
The larger the relative entropy is, the larger the deviation between the actual state and the normal state of the network is. Since this phenomenon belongs to a small probability event, the probability of occurrence thereof, i.e., the large deviation probability P (i, j), is low. In practice, the round trip delay of the link is in a steady state for a long period of time. Thus, for each link, the deviation between the actual measured value (based on the second probability distribution sequence) and the reference value (based on the first probability distribution sequence) is small. Only when the network is abnormal will the relative entropy increase, resulting in a smaller P (i, j).
For any one link L i,j The relative entropy between its true value (based on the second probability distribution sequence) and the reference value (based on the first probability distribution sequence) is calculated, resulting in its large deviation probability P (i, j). When the large deviation probability P (i, j) is lower than the preset probability threshold, the link L is judged i,j An abnormality occurs. Link L i,j An anomaly may affect other links of the category in which it is located, resulting in a network anomaly.
As can be seen from the above, the network anomaly detection method and the related device based on the round trip delay time sequence provided by the present disclosure perform route tracking on the target network to obtain the time sequence of the first round trip delay of the link in the target network; clustering links according to the similarity of the time sequences of the first round trip delay and the connection relation between the links to obtain a link set; determining a statistical model corresponding to the link set by using a Bayesian information criterion; taking any link as a target link, and obtaining a first probability distribution sequence of a first round trip delay of the target link based on a statistical model corresponding to a link set to which the target link belongs; acquiring a time sequence of a second round trip delay of the target link, and acquiring a second probability distribution sequence of a first round trip delay of the target link based on the time sequence of the second round trip delay; and obtaining a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence. By the method and the device, network abnormality can be accurately and rapidly detected.
By researching the correlation among links, the method obtains a plurality of groups of links (namely link sets) with similar characteristics, can accurately detect network anomalies by detecting a small number of links, and evaluates the influence range of the network anomalies.
The method and the device take the influence of model fitting degree and complexity on modeling of the time sequence of the round trip delay into consideration through the technical means, and select a proper statistical model to model the time sequence of the round trip delay to detect network abnormality.
It should be noted that the method of the embodiments of the present disclosure may be performed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the methods of embodiments of the present disclosure, the devices interacting with each other to accomplish the methods.
It should be noted that the foregoing describes some embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Based on the same inventive concept, the disclosure also provides a network anomaly detection device based on a round trip delay time sequence, which corresponds to the method of any embodiment.
Referring to fig. 2, the network anomaly detection device based on the round trip delay time sequence includes:
the round trip delay time sequence obtaining module 210 is configured to perform route tracking on the target network to obtain a time sequence of the first round trip delay of the plurality of links in the target network. The time sequence of the first round trip delays includes a plurality of first round trip delays.
The link clustering module 220 is configured to cluster links according to the similarity of the time sequence of the first round trip delay and the connection relationship between links, so as to obtain a link set.
The statistical model determining module 230 is configured to determine a statistical model corresponding to the link set using bayesian information criteria.
The first probability distribution sequence obtaining module 240 is configured to obtain, for the target link, a first probability distribution sequence of the first round trip delay of the target link based on a statistical model corresponding to a link set to which the target link belongs. The target link is any link in the target network. The first probability distribution sequence does not contain repeated first round trip delays.
The second probability distribution sequence obtaining module 250 is configured to obtain a time sequence of the second round trip delay of the target link, and obtain a second probability distribution sequence of the first round trip delay of the target link according to the probability that the first round trip delay is distributed in the time sequence of the second round trip delay. The time sequence of the second round trip delays includes a plurality of second round trip delays. The second sequence of probability distributions does not contain the repeated first round trip delay.
The network anomaly determination module 260 is configured to obtain a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of the various modules may be implemented in the same one or more pieces of software and/or hardware when implementing the present disclosure.
The device of the foregoing embodiment is configured to implement the corresponding round trip delay-based network anomaly detection method in any one of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, the present disclosure also provides an electronic device corresponding to the method of any embodiment, which includes a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the processor implements the network anomaly detection method based on the round trip delay time sequence according to any embodiment when executing the program.
Fig. 3 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.
The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown in the figure) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).
It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.
The electronic device of the foregoing embodiment is configured to implement the corresponding round trip delay-based network anomaly detection method in any one of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, corresponding to any of the above embodiments of the method, the present disclosure further provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the network anomaly detection method based on the round trip delay time sequence according to any of the above embodiments.
The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiments are configured to cause the computer to perform the network anomaly detection method based on the round trip delay time sequence of any one of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which are not described herein.
It should be noted that the embodiments of the present disclosure may be further described in the following manner:
a network anomaly detection method based on a time sequence of round trip delay comprises the following steps:
carrying out route tracking on a target network to obtain a time sequence of first round trip delay of a plurality of links in the target network; the time sequence of the first round trip delay comprises a plurality of first round trip delays;
clustering links according to the similarity of the time sequences of the first round trip delay and the connection relation between the links to obtain a link set;
determining a statistical model corresponding to the link set by using a Bayesian information criterion;
for a target link, obtaining a first probability distribution sequence of a first round trip delay of the target link based on a statistical model corresponding to a link set to which the target link belongs; the target link is any link in the target network; the first probability distribution sequence does not contain repeated first round trip delay;
Acquiring a time sequence of second round trip delay of a target link, and acquiring a second probability distribution sequence of first round trip delay of the target link according to the probability of distribution of the first round trip delay in the time sequence of the second round trip delay; the time sequence of the second round trip delay comprises a plurality of second round trip delays; the second probability distribution sequence does not contain repeated first round trip delay;
and obtaining a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence.
Optionally, the route tracking is performed on the target network to obtain a time sequence of the first round trip delay of the plurality of links in the target network, including:
carrying out route tracking on the target network to obtain first round trip delay of links in the target network at different moments;
for any link, extracting the first round trip delay of the link at the same time interval, and generating a time sequence of the first round trip delay of the link.
Optionally, clustering the links according to the similarity of the time sequence of the first round trip delay and the connection relationship between the links to obtain a link set, including:
step 1: taking any link as a seed link, extracting all links connected with the seed link, and adding the links into an initial link set;
Step 2: calculating the similarity of the time sequence of the first round trip delay of the seed link and the time sequence of the first round trip delay of each link in the initial link set, extracting links with the similarity greater than or equal to a similarity threshold, and adding the seed link and the links with the similarity greater than or equal to the similarity threshold into an alternative link set;
step 3: filtering links which are used as seed links in the alternative link set, executing the step 1 and the step 2 on the rest links in the alternative link set until no links with similarity greater than or equal to a similarity threshold exist, and taking the alternative link set as a link set;
step 4: acquiring all links in a target network, and filtering links in a link set in all links to obtain residual links; step 1, step 2 and step 3 are performed on the remaining links until all links in the target network are clustered into a plurality of link sets.
Optionally, determining the statistical model corresponding to the link set by using a bayesian information criterion includes:
modeling the target link set by using different types of alternative statistical models respectively, and calculating Bayesian information values of the different types of alternative statistical models; the target link set is any link set;
And taking the alternative statistical model with the lowest Bayesian information value as the statistical model corresponding to the link set.
Optionally, the alternative statistical model includes:
a normal model, a lognormal model, a GEV model, and a burrtype XII model.
Optionally, for the target link, based on a statistical model corresponding to a link set to which the target link belongs, a first probability distribution sequence of a first round trip delay of the target link is obtained, including:
sequencing the first round trip delays in the time sequence of the first round trip delays of the target link according to the order of magnitude to obtain a sequence of the first round trip delays sequenced according to the order of magnitude; wherein the sequence of the first round trip delays ordered according to the order of magnitude does not contain repeated first round trip delays;
and for the sequences of the first round trip delays ordered according to the order of magnitude, obtaining a first probability distribution sequence of the first round trip delays of the target links based on a statistical model corresponding to the link set to which the target links belong.
Optionally, the obtaining a time sequence of the second round trip delay of the target link and obtaining a second probability distribution sequence of the first round trip delay of the target link according to the probability that the first round trip delay is distributed in the time sequence of the second round trip delay includes:
The occurrence times of each first round-trip delay in the time sequence of the second round-trip delay in the sequence of the first round-trip delays ordered according to the order of magnitude are calculated, the probability that each first round-trip delay is distributed in the time sequence of the second round-trip delay is further calculated, and the second probability distribution sequence of the first round-trip delay of the target link is obtained.
Optionally, obtaining the network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence includes:
calculating the relative entropy of the first probability distribution sequence and the second probability distribution sequence;
calculating the large deviation probability of the first probability distribution sequence and the second probability distribution sequence according to the relative entropy;
in response to determining that the large deviation probability is below the large deviation probability threshold, it is determined that the target network has a network anomaly.
A round trip delay based time series network anomaly detection apparatus comprising:
the system comprises a round trip delay time sequence acquisition module, a round trip delay time sequence acquisition module and a control module, wherein the round trip delay time sequence acquisition module is configured to perform route tracking on a target network to obtain a time sequence of first round trip delays of a plurality of links in the target network; the time sequence of the first round trip delay comprises a plurality of first round trip delays;
The link clustering module is configured to cluster the links according to the similarity of the time sequences of the first round trip delay and the connection relation between the links to obtain a link set;
the statistical model determining module is configured to determine a statistical model corresponding to the link set by using a Bayesian information criterion;
the first probability distribution sequence acquisition module is configured to acquire a first probability distribution sequence of a first round trip delay of a target link based on a statistical model corresponding to a link set to which the target link belongs for the target link; the target link is any link in the target network; the first probability distribution sequence does not contain repeated first round trip delay;
the second probability distribution sequence acquisition module is configured to acquire a time sequence of the second round trip delay of the target link and acquire a second probability distribution sequence of the first round trip delay of the target link according to the probability that the first round trip delay is distributed in the time sequence of the second round trip delay; the time sequence of the second round trip delay comprises a plurality of second round trip delays; the second probability distribution sequence does not contain repeated first round trip delay;
the network anomaly determination module is configured to obtain a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence.
An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a method as described above when executing the program.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the disclosure, including the claims, is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined under the idea of the present disclosure, the steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present disclosure as described above, which are not provided in details for the sake of brevity.
Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure the embodiments of the present disclosure. Furthermore, the devices may be shown in block diagram form in order to avoid obscuring the embodiments of the present disclosure, and this also accounts for the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform on which the embodiments of the present disclosure are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.
The disclosed embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Accordingly, any omissions, modifications, equivalents, improvements, and the like, which are within the spirit and principles of the embodiments of the disclosure, are intended to be included within the scope of the disclosure.

Claims (10)

1. A network anomaly detection method based on a time sequence of round trip delay comprises the following steps:
carrying out route tracking on a target network to obtain a time sequence of first round trip delay of a plurality of links in the target network; the time sequence of the first round trip delay comprises a plurality of first round trip delays;
clustering the links according to the similarity of the time sequences of the first round trip delay and the connection relation between the links to obtain a link set;
determining a statistical model corresponding to the link set by using a Bayesian information criterion;
For a target link, obtaining a first probability distribution sequence of the first round trip delay of the target link based on the statistical model corresponding to the link set to which the target link belongs; the target link is any one of the links in the target network; the first round trip delay which is repeated is not included in the first probability distribution sequence;
acquiring a time sequence of a second round trip delay of the target link, and acquiring a second probability distribution sequence of the first round trip delay of the target link according to the probability of the first round trip delay distributed in the time sequence of the second round trip delay; the time sequence of the second round trip delay comprises a plurality of second round trip delays; the second probability distribution sequence does not contain repeated first round trip delay;
obtaining a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence, wherein the network anomaly detection result specifically comprises the following steps: calculating the relative entropy of the first probability distribution sequence and the second probability distribution sequence, and calculating the large deviation probability of the first probability distribution sequence and the second probability distribution sequence according to the relative entropy; in response to determining that the large deviation probability is below a large deviation probability threshold, determining that a network anomaly exists for the target network.
2. The method of claim 1, wherein the route tracking of the target network results in a time series of first round trip delays for a plurality of links in the target network, comprising:
carrying out route tracking on the target network to obtain the first round trip delay of the link in the target network at different moments;
for any one of the links, extracting the first round trip delay of the link at the same time interval, and generating a time sequence of the first round trip delay of the link.
3. The method of claim 1, wherein the clustering the links according to the similarity of the time series of the first round trip delay and the connection relationship between the links to obtain a link set includes:
step 1: taking any one of the links as a seed link, extracting all the links connected with the seed link, and adding the links into an initial link set;
step 2: calculating the similarity of the time sequence of the first round trip delay of the seed link and the time sequence of the first round trip delay of each link in the initial link set, extracting the links with the similarity greater than or equal to a similarity threshold, and adding the seed link and the links with the similarity greater than or equal to the similarity threshold into an alternative link set;
Step 3: filtering out the links which are used as the seed links in the alternative link set, executing the step 1 and the step 2 on the rest links in the alternative link set until the links with the similarity being greater than or equal to a similarity threshold value do not exist, and taking the alternative link set as the link set;
step 4: acquiring all links in the target network, and filtering out the links in the link set in all the links to obtain the rest links; and (3) performing step 1, step 2 and step 3 on the rest links until all the links in the target network are clustered into a plurality of link sets.
4. The method of claim 1, wherein the determining, using bayesian information criteria, a statistical model corresponding to the link set comprises:
modeling a target link set by using alternative statistical models of different categories respectively, and calculating Bayesian information values of the alternative statistical models of different categories; the target link set is any link set;
and taking the alternative statistical model with the lowest Bayesian information value as the statistical model corresponding to the link set.
5. The method of claim 4, wherein the alternative statistical model comprises:
a normal model, a lognormal model, a GEV model, and a burrtype XII model.
6. The method of claim 1, wherein the obtaining, for a target link, a first probability distribution sequence of the first round trip delay of the target link based on the statistical model corresponding to the link set to which the target link belongs, comprises:
sequencing the first round trip delays in the time sequence of the first round trip delays of the target link according to the order of magnitude to obtain a sequence of the first round trip delays sequenced according to the order of magnitude; wherein the sequence of the first round trip delays ordered in order of magnitude does not contain the repeated first round trip delays;
and for the sequences of the first round trip delays ordered according to the order of magnitude, obtaining the first probability distribution sequences of the first round trip delays of the target links based on the statistical model corresponding to the link set to which the target links belong.
7. The method of claim 6, wherein the obtaining the time sequence of the second round trip delay of the target link and obtaining the second probability distribution sequence of the first round trip delay of the target link based on the probability that the first round trip delay is distributed in the time sequence of the second round trip delay, comprises:
Calculating the occurrence times of each first round trip delay in the time sequence of the second round trip delay in the sequence of the first round trip delays ordered according to the order of magnitude, and further calculating the probability of each first round trip delay being distributed in the time sequence of the second round trip delay, so as to obtain a second probability distribution sequence of the first round trip delay of the target link.
8. The method of claim 1, wherein the obtaining the network anomaly detection result according to the large deviation probabilities of the first probability distribution sequence and the second probability distribution sequence comprises:
calculating the relative entropy of the first probability distribution sequence and the second probability distribution sequence;
calculating the large deviation probability of the first probability distribution sequence and the second probability distribution sequence according to the relative entropy;
in response to determining that the large deviation probability is below a large deviation probability threshold, determining that a network anomaly exists for the target network.
9. A round trip delay based time series network anomaly detection apparatus comprising:
the system comprises a round trip delay time sequence acquisition module, a round trip delay time sequence acquisition module and a processing module, wherein the round trip delay time sequence acquisition module is configured to perform route tracking on a target network to obtain a time sequence of first round trip delays of a plurality of links in the target network; the time sequence of the first round trip delay comprises a plurality of first round trip delays;
The link clustering module is configured to cluster the links according to the similarity of the time sequence of the first round trip delay and the connection relation between the links to obtain a link set;
the statistical model determining module is configured to determine a statistical model corresponding to the link set by using a Bayesian information criterion;
the first probability distribution sequence acquisition module is configured to obtain a first probability distribution sequence of the first round trip delay of the target link based on the statistical model corresponding to the link set to which the target link belongs for the target link; the target link is any one of the links in the target network; the first round trip delay which is repeated is not included in the first probability distribution sequence;
a second probability distribution sequence acquisition module configured to acquire a time sequence of a second round trip delay of the target link, and obtain a second probability distribution sequence of the first round trip delay of the target link according to a probability that the first round trip delay is distributed in the time sequence of the second round trip delay; the time sequence of the second round trip delay comprises a plurality of second round trip delays; the second probability distribution sequence does not contain repeated first round trip delay;
The network anomaly determination module is configured to obtain a network anomaly detection result according to the large deviation probability of the first probability distribution sequence and the second probability distribution sequence, and is specifically configured to: calculating the relative entropy of the first probability distribution sequence and the second probability distribution sequence, and calculating the large deviation probability of the first probability distribution sequence and the second probability distribution sequence according to the relative entropy; in response to determining that the large deviation probability is below a large deviation probability threshold, determining that a network anomaly exists for the target network.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1 to 8 when the program is executed.
CN202111136164.3A 2021-09-27 2021-09-27 Network anomaly detection method and related device based on round trip delay time sequence Active CN114039889B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111136164.3A CN114039889B (en) 2021-09-27 2021-09-27 Network anomaly detection method and related device based on round trip delay time sequence

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111136164.3A CN114039889B (en) 2021-09-27 2021-09-27 Network anomaly detection method and related device based on round trip delay time sequence

Publications (2)

Publication Number Publication Date
CN114039889A CN114039889A (en) 2022-02-11
CN114039889B true CN114039889B (en) 2023-06-16

Family

ID=80134689

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111136164.3A Active CN114039889B (en) 2021-09-27 2021-09-27 Network anomaly detection method and related device based on round trip delay time sequence

Country Status (1)

Country Link
CN (1) CN114039889B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9628499B1 (en) * 2012-08-08 2017-04-18 Google Inc. Statistics-based anomaly detection
CN108768778A (en) * 2018-05-31 2018-11-06 中国商用飞机有限责任公司北京民用飞机技术研究中心 A kind of network delay computational methods, device, equipment and storage medium
CN112637132A (en) * 2020-12-01 2021-04-09 北京邮电大学 Network anomaly detection method and device, electronic equipment and storage medium

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7768910B2 (en) * 2005-02-04 2010-08-03 Neidhardt Arnold L Calculations for admission control
KR100726352B1 (en) * 2006-03-28 2007-06-08 중앙대학교 산학협력단 Analyzeing system of network traffic according to variable communication's mass and analyzeing method thereof
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
US10289471B2 (en) * 2016-02-08 2019-05-14 Nec Corporation Ranking causal anomalies via temporal and dynamical analysis on vanishing correlations
CN107070683A (en) * 2016-12-12 2017-08-18 国网北京市电力公司 The method and apparatus of data prediction
CN109428785A (en) * 2017-09-01 2019-03-05 阿里巴巴集团控股有限公司 A kind of fault detection method and device
CN108650110B (en) * 2018-03-27 2021-01-08 北京航空航天大学 Link fault detection method under HPC indirect network environment
CN109660423A (en) * 2018-12-06 2019-04-19 南京邮电大学 Application system load predicting method, readable storage medium storing program for executing and terminal
CN113055245A (en) * 2021-03-01 2021-06-29 珠海格力电器股份有限公司 Communication link quality detection method, device, equipment and computer readable medium
CN113285831B (en) * 2021-05-24 2022-08-02 广州大学 Network behavior knowledge intelligent learning method and device, computer equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9628499B1 (en) * 2012-08-08 2017-04-18 Google Inc. Statistics-based anomaly detection
CN108768778A (en) * 2018-05-31 2018-11-06 中国商用飞机有限责任公司北京民用飞机技术研究中心 A kind of network delay computational methods, device, equipment and storage medium
CN112637132A (en) * 2020-12-01 2021-04-09 北京邮电大学 Network anomaly detection method and device, electronic equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于多目标优化的自适应采集方法研究;洪意意等;2020 中国信息通信大会论文集;272-276 *
基于往返时延矩阵子空间的网络异常检测方法;李柏楠;钱叶魁;罗兴国;;南京理工大学学报(02);215-224 *

Also Published As

Publication number Publication date
CN114039889A (en) 2022-02-11

Similar Documents

Publication Publication Date Title
JP7010641B2 (en) Abnormality diagnosis method and abnormality diagnosis device
CN108777873A (en) The wireless sensor network abnormal deviation data examination method of forest is isolated based on weighted blend
CN109587008B (en) Method, device and storage medium for detecting abnormal flow data
CN112637132B (en) Network anomaly detection method and device, electronic equipment and storage medium
JP6564799B2 (en) Threshold determination device, threshold determination method and program
JP6183450B2 (en) System analysis apparatus and system analysis method
CN107679626A (en) Machine learning method, device, system, storage medium and equipment
CN107992738A (en) A kind of account logs in method for detecting abnormality, device and electronic equipment
CN110071829A (en) DNS tunnel detection method, device and computer readable storage medium
JP2007243459A (en) Traffic state extracting apparatus and method, and computer program
JPWO2015182629A1 (en) Monitoring system, monitoring device and monitoring program
CN114039889B (en) Network anomaly detection method and related device based on round trip delay time sequence
Zhang et al. K-coverage: A monitor node selection algorithm for diffusion source localizations
CN109560978A (en) Network flow detection method, apparatus and system and computer readable storage medium
US11582132B2 (en) Systems and methods for identifying unknown protocols associated with industrial control systems
CN116800504A (en) Dynamic authentication method and device for terminal physical fingerprint extraction and illegal access
CN113079168B (en) Network anomaly detection method and device and storage medium
CN113127274A (en) Disk failure prediction method, device, equipment and computer storage medium
CN112597699B (en) Social network rumor source identification method integrated with objective weighting method
KR101876245B1 (en) Apparatus and method for performance test of IED and computer readable recording medium to member deterioration
CN114760087A (en) DDoS attack detection method and system in software defined industrial internet
JPWO2018142694A1 (en) Feature value generation apparatus, feature value generation method, and program
JP6467365B2 (en) Failure analysis apparatus, failure analysis program, and failure analysis method
WO2017118429A1 (en) Method and device for determining reliability of communication network
JP7325557B2 (en) Abnormality diagnosis method and abnormality diagnosis device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant